On TechRepublic: The 5 worst tech products of 2009
BNET Business Network:
BNET
TechRepublic
ZDNet

September 22nd, 2005

Firefox woes spread to Linux

Posted by George Ou @ 2:05 am

Categories: Security

Tags:

When I saw all the headlines this week about a new Symantec report contradicting popular perception that Firefox was the secure alternative to Microsoft Internet Explorer, the timing couldn’t have been better.  Just three days earlier, I wrote this blog about Firefox surpassing Microsoft Internet Explorer in monthly vulnerabilities and a flood of angry comments followed in the talkback — and Slashdot had another 500 plus comments.  It was almost as if I violated one of the ten commandments of "thou shalt not speak ill of any Open Source application" even though I never drew any conclusions on which browser was less secure.  Predictably, the debate spilled into Windows bashing and some of the comments blamed the Firefox problems on Windows.  But even as the debated raged on, a new extremely critical vulnerably for Firefox came to light and this time it only affected UNIX and Linux systems.

This new Firefox vulnerability is extremely dangerous because it’s so easy to exploit and allows arbitrary code execution with zero user interaction.  All that is needed to exploit this vulnerability is a simple URL crafted to execute any shell command.  The details of the exploit have been publicly released so it would be wise to upgrade to the latest edition of Firefox immediately if you have Firefox.

The year 2004 revived the browser wars with the entry of Mozilla Firefox.  While it can be debated until the end of time which browser is more secure, 2005 has shown us that Firefox is not the panacea it was made out to be.  Microsoft and Mozilla are at least doing what they can to fix the bugs and the browser we use doesn’t matter as much as some make it out to be.  The best thing we can do is to make sure we’re not running Windows as an Administrator no matter which browser we use.  This may be a little hard before Windows Vista UAP arrives because some applications break in user-mode, but even then there are alternatives like DropMyRights that allow you to individually neuter applications even when you’re running as an Administrator.  Keep in mind that non-administrative mode only reduce the security issues so it’s no substitute for staying up to date with security patches.

George Ou is Technical Director of ZDNet. See his full profile and disclosure of his industry affiliations.

  • Talkback
  • Most Recent of 118 Talkback(s)
Here's another for the win user
They just keep on coming, and coming, and coming,,,

http://www.geek.com/news/geeknews/2005Sep/bpd20050923032412.htm... (Read the rest)
Posted by: I'm Ye, the MS SHILL . Posted on: 09/25/05 You are currently: a Guest | | Terms of Use
So the "premier security" browser and OS combo have fallen (again)  Scrat | 09/22/05
Security is a process not a product as you know  balazsa | 09/22/05
flaw fixed  3D0G | 09/22/05
Arbritary shell commands  Anti_Zealot | 09/22/05
User priviledges  TLG_z | 09/22/05
Which would mean minimal system damage...  Linux Guy 1000 | 09/22/05
deleting my documents  balsover | 09/22/05
So let me pose a question...  Linux Guy 1000 | 09/22/05
Most do  voska | 09/23/05
The browser cannot give away a privilege it never possessed.  Zogg | 09/22/05
Again, in defence of MS here....  ju1ce | 09/22/05
Eh? I was talking about Firefox! (NT)  Zogg | 09/23/05
Yes...  Anti_Zealot | 09/22/05
But that is exactly it.  vdraken | 09/22/05
Read the end of the blog  george_ou | 09/22/05
By the way George...  ju1ce | 09/22/05
You're welcome  george_ou | 09/22/05
I just have to add the jab...  ju1ce | 09/22/05
I don't believe in telling Engineers and Programmers what to use  george_ou | 09/22/05
If set up properly  CobraA1 | 09/22/05
You can't protect the stupid from being stupid... but...  ju1ce | 09/22/05
is the patch automatically installed on all users machines?  balsover | 09/22/05
Firefox critical update icon  PB_z | 09/22/05
I have yet to see...  BitTwiddler | 09/22/05
Yeah, kinda embarrasing...  Fred Fredrickson | 09/22/05
Precisely  Anti_Zealot | 09/22/05
Woes  Letophoro | 09/22/05
News just in.... George Ou and Mike Cox are brothers! (NT)  ju1ce | 09/22/05
It would seem  Linux Guy 1000 | 09/22/05
when you see its b George  doh123 | 09/22/05
We talk about anything that matters  george_ou | 09/22/05
Point.  Letophoro | 09/22/05
You realize....  ju1ce | 09/22/05
That's your opinion  george_ou | 09/22/05
You know what they say about opinions  Letophoro | 09/22/05
Here are the facts  george_ou | 09/22/05
Well...  zkiwi | 09/22/05
As Microsoft should  voska | 09/23/05
Nice attempt at obsfucation...  ye | 09/22/05
Please show where a system running Firefox  Linux Guy 1000 | 09/22/05
Well Ye?  Linux Guy 1000 | 09/22/05
ZDNet authors in bashing FF at every turn  balsover | 09/22/05
Keep it going  tero_t_vaananen@... | 09/22/05
Umm arent these fixed.  ickusslime@... | 09/22/05
Yes they are,  3D0G | 09/22/05
Which would be the perfect time to  Linux Guy 1000 | 09/22/05
The implication being...  rapson | 09/22/05
You can read how you like  Linux Guy 1000 | 09/22/05
The problem would be hitting them  3D0G | 09/22/05
The problem would be hitting them  none none | 09/22/05
You have another problem...  Linux Guy 1000 | 09/22/05
Do Any Clients Auto-Execute?  java.user | 09/22/05
Couldn't tell you  Linux Guy 1000 | 09/23/05
Vista UAP and UNIX  Anti_Zealot | 09/22/05
No doubt Microsoft is very late on this  george_ou | 09/22/05
Better late than never  Anti_Zealot | 09/22/05
Actually Windows has had something like this for a while  Mark Miller | 09/22/05
Difference is...  Anti_Zealot | 09/23/05
Least-Privilege User Account (LUA) is the big Vista news  Richard Flude | 09/22/05
No doubt  Anti_Zealot | 09/23/05
The problem isn't with Windows...  ye | 09/22/05
It's is actually Microsoft's fault  balsover | 09/22/05
It has nothing to do with Microsoft  ye | 09/22/05
Well isn't that an easy one...  ju1ce | 09/22/05
Why...  ye | 09/22/05
API and User Memory Space For Dummies  Anti_Zealot | 09/22/05
Well...  zkiwi | 09/22/05
Yes, it is long overdue.  balsover | 09/22/05
Firefox is as vulnerable, just not as visible  bcorfman | 09/22/05
You're wrong  somedudehere | 09/24/05
The update system STILL doesn't work  Michael Kelly | 09/22/05
Dare I say  Real World | 09/22/05
I agree  ejhonda | 09/22/05
You have other options  balsover | 09/22/05
I wasn't talking about Linux  Michael Kelly | 09/22/05
I'm using windows, I bought OSX for the kids, and I also use Linux  hipparchus2000 | 09/22/05
a question of balance  balsover | 09/22/05
Actually I don't know what you mean here  hipparchus2000 | 09/22/05
So this is another one of those "There is no one taking  Laff | 09/22/05
I am going back to my Coleco ADAM 8-bit computer!  racingmustang | 09/22/05
Yes take me back...  Mark Miller | 09/22/05
False alarm!!  RestonTechAlec | 09/22/05
Use a little imagination  george_ou | 09/22/05
Maybe... maybe not  Linux Guy 1000 | 09/22/05
Every security advisory has cited this as "extremely critical"  george_ou | 09/22/05
Secuna != truth  RestonTechAlec | 09/22/05
Not just Secunia  george_ou | 09/22/05
Command line != URL  RestonTechAlec | 09/23/05
You and the security buffs  Linux Guy 1000 | 09/22/05
Not exacty...  RestonTechAlec | 09/22/05
And you think this isn't extremely serious?  george_ou | 09/22/05
Not extremely serious!!!  RestonTechAlec | 09/23/05
No it's not extremely serious  voska | 09/23/05
So answer this  george_ou | 09/23/05
Simple  Linux Guy 1000 | 09/23/05
On a Linux system, you delete all user files  george_ou | 09/23/05
Fundumental difference  Linux Guy 1000 | 09/23/05
This isn't a serious bug  somedudehere | 09/24/05
Hiding from the Truth  ibabadur1 | 09/22/05
Question... for George or Anybody...  LazLong | 09/22/05
Send your self an email with the bad URL  george_ou | 09/22/05
tried it before I even posted  LazLong | 09/22/05
"Evolution & Thunderbird" were the examples raised  george_ou | 09/22/05
No you are not...  Linux Guy 1000 | 09/22/05
Not quite sure if you agree with me or not?  LazLong | 09/22/05
My apologies...  Linux Guy 1000 | 09/23/05
I get the feeling  bystander_z | 09/22/05
Mommy, Mommy, they're picking on my browser  John Zern | 09/22/05
There, there. Now go upstairs and tidy your hard-disk. (NT).  Zogg | 09/23/05
Hilarious. And accurate.  broper | 09/23/05
Re: API and User Memory Space For Dummies  ye | 09/22/05
"Admin" and other idioms  Anti_Zealot | 09/23/05
The "files" I referred to are bash scripts, of course (NT)  Anti_Zealot | 09/23/05
ZDNet publishes a positive article for FF  ollie120 | 09/22/05
Get serious  george_ou | 09/22/05
This is a non-issue!  Linux User 147560 | 09/23/05
I agree  somedudehere | 09/24/05
Here's another for the win user  I'm Ye, the MS SHILL . | 09/25/05

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Click Here
advertisement

Recent Entries

Top Rated

    advertisement
    Click Here

    Archives

    ZDNet Blogs

    White Papers, Webcasts, and Downloads

    SmartPlanet

    Click Here